Solved

Remote Access to company mail

Posted on 2004-09-13
11
1,225 Views
Last Modified: 2011-09-20
Hello,

I have a problem.  My company has an internal Exchange 2003 Server, running on Windows 2003 SBS.  This Exchange Server downloads mail from our webhost, and therefore does not directly receive mail for our domain.  All mail forwarded to my email address first goes to our webhost, then our Exchange Server get is from there and distributes it accordingly.

I need to get remote access to my mail by the most secure means possible.  We have a current network administrator that is paranoid about publishing internal resources onto the web, yet we NEED to get our mail remotely.

I have done ALOT of reading on this topic, and have decided to use MS ISA Server and Outlook Web Access (OWA) to facilitate access to the internal mail.  That way, we will be able to log on from anywhere with an internet connection, and view our existing archive of mail.

This poses several problems (and questions) however.

Internet Connection - our internet connection is a home user ADSL type plan, with a dynamic IP address.  The DSL line comes into our building and plugs straight into a 4 port DSL modem/router.  Our server is then run off the router, as well as all our client machines.  We do not have any dedicated hardware firewall devices.  We are solely relying on the NAT firewall that is in our router.  We have no DNS name mapped to any internal resources, our webhost host all mail and web content.

What would be the best way to get remote access to our OWA Mail?  I can currently type SERVERNAME\EXCHANGE into internet explorer and get the OWA successfully.  Our next step is to SECURELY publish this to make it accessible to the internet.  Can anyone please give me an idea on wha the best way would be to configure ISA Server to allow secure remote access to the webmail?

Thankyou,

Dean.
0
Comment
Question by:aktivemofo
11 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 100 total points
Comment Utility
Is there some reason why you cannot just pull your mail from the same place the exchange server gets it via some sort of webmail gateway?  

Hosting externally visible internet services on a dynamic IP is ill-advised, although some folks can't seem to live without it - to that end, folks like those at http://www.dyndns.org/ are there to fill the void.  

>I can currently type SERVERNAME\EXCHANGE into internet explorer and get the OWA successfully

Hmmm - that sounds like something that is unlikely to work outside the LAN - are there any secure webmail clients (ie use https) that you can install on your exchange server?  

Cheers,
-Jon
0
 
LVL 7

Assisted Solution

by:gnegrota
gnegrota earned 100 total points
Comment Utility
OWA does have the HTTPS access mode, the problem is that this type of connection is unsafe in any case if you are not using a 'real' firewall. The 'best' way is to set a VPN ( con IPSec, for ex.) access in your network and from there to access OWA in HTTPS and firewall all other things . Check your router capabilities about VPN access .
For 'detect' the IP of your connection, use the sug. of The--Captain !
0
 
LVL 5

Assisted Solution

by:ITcrow
ITcrow earned 100 total points
Comment Utility

Connect using VPN
Outlook Web Access to access emails.

Since your company has dynamic IP address, follow Jon's suggestion and go to
http://www.dyndns.org for a work-around.
0
 
LVL 9

Assisted Solution

by:cooledit
cooledit earned 100 total points
Comment Utility
hi, there

You mentioned remote clients gets a Dynamic IP from the provider ? right.

If you splitted the network into 3 subnets

1 for the internal users
1 for the Excchange server DMZ zone ( I assume it's already there)
1 for the remote users

Internal ACL's have access to all + Exchange server by new route

Remote Users only to smtp port 25 forward it to the IP of the exchange server.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 13

Assisted Solution

by:hstiles
hstiles earned 100 total points
Comment Utility
Whatever solution you choose, the more secure you want to make it, the more complex it will probably end up being.

I would prefer a VPN type solution to anything else simply because it would give you the greatest flexibility:

using the VPN approach you could:

set up OWA via VPN.  This would remove the need for SSL encryption
use Outlook as you would in the office just providing the exchange server name
use IMAP and SMTP - although unneccesary if you are VPNing in

Otherwise:

OWA but you would have to protect via SSL and preferably publish using ISA
IMAP over the internet
Outlook via RPC over HTTPS, but this would require a front end Exchange server even if you are using ISAS
0
 

Author Comment

by:aktivemofo
Comment Utility
Hello,

Thankyou all for your suggestions.

Unfortunately, i could not convince my colleagues to consider a VPN.  It looks like we will have to use ISA Server and publish the resources as needed.

What is the best practice to install an ISA Server?  Does it HAVE to live in the DMZ? And if so, does the ISA Server software protect that actual machine - IE will it act as a desktop firewall for that particular box?  We do not have (and cannot afford) any firewalls.. we pretty much have software only.  If we did resolve to use ISA Server, would the setup be like this:

[INTERNET] --> [ROUTER] --> [ISA SERVER] --> [SWITCH] --> [INTERNAL LAN]

I think that the biggest problem i have is understanding where to put the ISA Server, and how many network cards does it need?  So many of the guides i have read says that you need 2 NICs in the ISA box.. one for internal and one for external?

Once again, any suggestions are welcome.

Thanks in advance.

-DEAN.
0
 
LVL 7

Expert Comment

by:gnegrota
Comment Utility
The best practice is
                               _____             _______
---LAN(inside)--------/ ISA /----------| Router |----------->( ISP )
                              ^^^^              =====
                                  |
                                  | [dmz]
                               __|___
                             / Server/
                             ---------

In this case, ISA can be used to isolate the servers ( Web, Mail, etc.) , VPN access inside, firewall and filter .
0
 

Expert Comment

by:nishakash
Comment Utility
Hi:

I have my Exchange server on the DMZ. When I use outllook 2003 , everything works fine.

BUT when I remove my server from DMZ, then outlook does not work and it gives the error message " Exchange server unavailable".

Please can any one help.  I have ports, 80,110,25,3389, 443 and 445 open already on the router.


Thanks
0

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Fiber Patch Panel 6 42
Cisco ASA 5506 5 37
Copy a file to a share on a Domain 3 57
L2 to EIGRP slow migration? 27 57
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now